- Use PowerShell splatting and PSBoundParameters to pass parameters - Wed, Nov 9 2022
- Using PowerShell with $PSStyle - Mon, Jan 24 2022
- Clean up user profiles with PowerShell - Mon, Jun 9 2014
Again, I’ll assume you are running PowerShell 3.0 and have access to the Microsoft Active Directory module on your desktop.
Do it for one
In PowerShell, managing group membership is done from the group side using Add-ADGroupMember. You specify the name of the group and the name of the user account to add. Let’s take Al Fredo from our last example who was recently promoted. Now we need to add him to the Chicago Executive group. We can do this in two steps. First, get the user account.
PS C:\> $user = get-aduser afredo
Then add the account to the group.
PS C:\> Add-ADGroupMember "Chicago Executive" -Members $user
These two commands can be combined into a single expression.
PS C:\> Add-ADGroupMember "Chicago Executive" -Members (get-aduser afredo)
Let’s verify:
PS C:\> get-adgroupmember "Chicago Executive" | select name name ---- Roy G. Biv Al Fredo Marilee Claessens Lakesha Bartolini Lewis Molek George Washington
Do it for many
Are you getting an idea on how to do the same thing for many user accounts? Let’s say we are setting up a new distribution list for the Customer Service members we relocated last time. First, I need to create the group.
PS C:\> new-adgroup "Globomantics Customer Service" -GroupScope Global -GroupCategory Distribution -Path "OU=Groups,OU=Employees,DC=Globomantics,DC=local"
I can verify the group.
PS C:\> get-adgroup "Globomantics Customer Service"
DistinguishedName : CN=Globomantics Customer
Service,OU=Groups,OU=Employees,DC=GLOBOMANTICS,DC=local
GroupCategory : Distribution
GroupScope : Global
Name : Globomantics Customer Service
ObjectClass : group
ObjectGUID : 846ce751-ac9c-44a0-88fd-b62a5f5a6718
SamAccountName : Globomantics Customer Service
SID : S-1-5-21-2552845031-2197025230-307725880-13105
Excellent. Now to use the same technique and get all of the customer service users.
PS C:\> $csusers = get-aduser -filter "department -eq 'Customer Service'"
And then add them to the group.
PS C:\> add-adgroupmember "Globomantics Customer Service" -Members $csusers
Or as before, I could combine this into a single expression.
PS C:\> add-adgroupmember "Globomantics Customer Service" -Members (get-aduser -filter "department -eq 'Customer Service'")
Just like that I added 14 user accounts to the new group.
PS C:\> get-adgroupmember "Globomantics Customer Service" | measure | select count
Count
-----
14
Now, imagine if this was 140 or 1400 user accounts spread out across your entire Active Directory!
Removing from a group
By the way, it is equally easy to remove members from the group. Let’s say the company is closing the Reno office and laying off the staff. Here’s who is in the group now.
PS C:\> Get-ADGroupMember "Globomantics Customer Service" | get-aduser –Properties City | Sort City | Select Name,City Name City ---- ---- Donella Males Chicago Eddie Geasley Chicago Dick Elftman Chicago Dora Witsell Chicago Flo Novelli Des Moines Francis Harnes Des Moines Gene Everman Des Moines Floyd Piersol Des Moines Graig Pfifer Des Moines Herma Toher Reno Hershel Warshaw Reno Ellsworth Deutschman Tampa Erika Laity Tampa Emmanuel Umlauf Tampa
The Get-ADGroupMember cmdlet writes a brief user object to the pipeline which we can pipe back to Get-ADUser to get the city property.
We need to remove the Reno accounts from the distribution list so let’s modify the previous expression to get just the 2 Reno users.
PS C:\> $reno = Get-ADGroupMember "Globomantics Customer Service" | get-aduser -Properties City | where { $_.city -eq 'Reno'}
PS C:\> $reno.name
Hershel Warshaw
Herma Toher
In this situation we need to use Where-Object to do our filtering since we already have user accounts from Get-ADGroupmember but we need to pass them through a second filter for the city. Now that we’ve confirmed the names we can remove them from the group.
PS C:\> Remove-ADGroupMember "Globomantics Customer Service" -Members $reno
PowerShell will prompt you. If you want to skip the prompt do this:
PS C:\> Remove-ADGroupMember "Globomantics Customer Service" -Members $reno –confirm:$false
As I demonstrated in the previous article, if this is a common task in your environment you can take these commands and build a simple PowerShell tool.
Summary
A great deal of PowerShell is premised on this concept of getting a bunch of somethings and then doing some action on that collection. In this case, I got a bunch of user accounts that met some criteria and then did something with them: adding them to a group.
Subscribe to 4sysops newsletter!
If you are just starting out with PowerShell and the AD cmdlets, I encourage you to take the two steps at first to verify you are getting the accounts you want and then adding (or removing) them to a group.
one word “Awesome”. i am also trying to experiment some thing but not able to do.below i am mentioned :
in my environment i have 30 distribution groups which is like a.dept,b.dept,c.dept,…etc. there is a user name “user 1” need to add this user to all this groups on single shot.
See if something like this helps:
get-adgroup -filter “Name -like ‘DL-Test*'” | Add-ADGroupMember -Members (Get-ADUser ashowers)
if the the group names are all over the place, it will be much harder to do as a one line command.
Hi there, new into programming.
I am working in Powershell and am having difficulty adding members to a certain group.
example being: add-adgroupmember "Mark Smith" -Members (get-aduser -filter "department -eg 'Students')
However this is not working for it either. I have tried a ton of different variations to this. Any advice would be greatly appreciated!